[thirdparty/kernel/stable-queue.git] / releases / 4.14.69 / net-9p-client.c-version-pointer-uninitialized.patch

From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001
From: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Tue, 10 Jul 2018 00:29:43 +0200
Subject: net/9p/client.c: version pointer uninitialized

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream.

The p9_client_version() does not initialize the version pointer. If the
call to p9pdu_readf() returns an error and version has not been allocated
in p9pdu_readf(), then the program will jump to the "error" label and will
try to free the version pointer. If version is not initialized, free()
will be called with uninitialized, garbage data and will provoke a crash.

Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
Reviewed-by: Jun Piao <piaojun@huawei.com>
Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/9p/client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -955,7 +955,7 @@ static int p9_client_version(struct p9_c
 {
 	int err = 0;
 	struct p9_req_t *req;
-	char *version;
+	char *version = NULL;
 	int msize;
 
 	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
Commit	Line	Data
bed0f502 GKH	1	From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001
	2	From: Tomas Bortoli <tomasbortoli@gmail.com>
	3	Date: Tue, 10 Jul 2018 00:29:43 +0200
	4	Subject: net/9p/client.c: version pointer uninitialized
	5
	6	From: Tomas Bortoli <tomasbortoli@gmail.com>
	7
	8	commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream.
	9
	10	The p9_client_version() does not initialize the version pointer. If the
	11	call to p9pdu_readf() returns an error and version has not been allocated
	12	in p9pdu_readf(), then the program will jump to the "error" label and will
	13	try to free the version pointer. If version is not initialized, free()
	14	will be called with uninitialized, garbage data and will provoke a crash.
	15
	16	Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com
	17	Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
	18	Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
	19	Reviewed-by: Jun Piao <piaojun@huawei.com>
	20	Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
	21	Cc: Eric Van Hensbergen <ericvh@gmail.com>
	22	Cc: Ron Minnich <rminnich@sandia.gov>
	23	Cc: Latchesar Ionkov <lucho@ionkov.net>
	24	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	25	Cc: stable@vger.kernel.org
	26	Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
	27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	28
	29	---
	30	net/9p/client.c \| 2 +-
	31	1 file changed, 1 insertion(+), 1 deletion(-)
	32
	33	--- a/net/9p/client.c
	34	+++ b/net/9p/client.c
	35	@@ -955,7 +955,7 @@ static int p9_client_version(struct p9_c
	36	{
	37	int err = 0;
	38	struct p9_req_t *req;
	39	- char *version;
	40	+ char *version = NULL;
	41	int msize;
	42
	43	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",